Blizzard Group’s ApolloShadow Malware Installs Root Certificates to Trust Malicious Sites

Microsoft Threat Intelligence has exposed a sophisticated cyberespionage operation orchestrated by the Russian state-sponsored actor tracked as Secret Blizzard, which has been actively compromising foreign embassies in Moscow through an adversary-in-the-middle (AiTM) technique to deploy the custom ApolloShadow malware.

This campaign, ongoing since at least 2024, leverages an AiTM position at the Internet Service Provider (ISP) level to install trusted root certificates on victim devices, effectively tricking them into authenticating malicious actor-controlled domains.

This enables persistent access for intelligence gathering, posing a severe threat to diplomatic entities and sensitive organizations reliant on local Russian telecommunications infrastructure.

Previously assessed with low confidence for domestic espionage, this marks the first high-confidence confirmation of Secret Blizzard’s ISP-level capabilities, potentially facilitated by Russia’s System for Operative Investigative Activities (SORM), allowing large-scale traffic interception and manipulation.

Secret Blizzard’s Cyberespionage Campaign

The operation’s initial access exploits captive portals, redirecting devices to actor-controlled domains via DNS manipulation.

When a Windows device initiates the Test Connectivity Status Indicator by querying http://www.msftconnecttest.com/redirect, Secret Blizzard intercepts the request, presenting a certificate validation error that prompts users to download and execute ApolloShadow, disguised as a legitimate installer.

Upon execution, the malware evaluates the process token’s elevation type using APIs like GetTokenInformation.

If lacking full elevation (TokenElevationTypeFull), it follows a low-privilege path, collecting host IP details via GetIpAddrTable, Base64-encoding them twice, and exfiltrating via a GET request to a spoofed timestamp.digicert.com/registered endpoint with parameters like ‘code’ and ‘t’.

The AiTM setup redirects this to deliver an encoded VBScript payload, decoded and executed as edgB4ACD.vbs in the TEMP directory using CreateProcessW, followed by a ShellExecuteA call to trigger a User Access Control (UAC) prompt for elevation.

ApolloShadow’s Persistence Mechanisms

In elevated mode, ApolloShadow modifies network profiles to ‘Private’ status for easier lateral movement, achieved through registry edits under SOFTWAREMicrosoftWindows NTCurrentVersionNetworkListProfiles by setting Category values to 0, requiring a reboot for effect.

Concurrently, it employs Component Object Model (COM) objects to enable firewall rules for Network Discovery (FirewallAPI.dll,-32752) and File and Printer Sharing (FirewallAPI.dll,-28502), immediately opening ports without reboot.

The malware then displays a deceptive installation window while installing two root certificates via certutil.exe commands, adding them to the Enterprise root and CA stores from temporary .crt files in %TEMP%.

To ensure compatibility with Firefox, which maintains independent certificate stores, ApolloShadow writes a wincert.js preference file to the browser’s directory, enabling security.enterprise_roots.enabled to trust OS-level certificates.

Culminating its deployment, ApolloShadow creates a persistent local administrator account named UpdatusUser with a hardcoded, non-expiring password using NetUserAdd, masquerading elements as Kaspersky Anti-Virus components to evade detection.

This setup facilitates TLS/SSL stripping, exposing traffic in clear text for credential harvesting and token interception, akin to prior Secret Blizzard campaigns involving trojanized Flash installers against Eastern European targets.

Attributed by CISA to Russia’s Federal Security Service (Center 16) and overlapping with aliases like VENOMOUS BEAR, Turla, and Snake, the actor’s tactics underscore the need for robust defenses.

Microsoft recommends routing traffic through encrypted VPN tunnels to trusted external networks or adopting satellite-based providers outside Russian influence, alongside monitoring for indicators like anomalous certificate installations and UAC prompts.

These measures, detailed in Microsoft’s guidance, enhance resilience against AiTM threats globally, as similar techniques appear in operations tracked by other vendors.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!